ossec: split into server & agent; 2.6 -> unstable 2023-08-09

2024-09-20 04:19:00 +02:00 · 2023-12-03 10:28:59 +09:00 · 2023-12-03 10:28:59 +09:00 · ca9bcc2e2a
parent 886446e1dc
commit ca9bcc2e2a
5 changed files with 395 additions and 178 deletions
--- a/pkgs/tools/security/ossec/agent.nix
+++ b/pkgs/tools/security/ossec/agent.nix
@ -0,0 +1,69 @@
+{ lib, stdenv, fetchFromGitHub, which, pcre2, zlib, ncurses, openssl }:
+let
+  version = "unstable-2023-08-09";
+in
+stdenv.mkDerivation {
+  pname = "ossec-agent";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "ossec";
+    repo = "ossec-hids";
+    rev = "c8a36b0af3d4ee5252855b90236407cbfb996eb2";
+    sha256 = "sha256-AZ8iubyhNHXGR/l+hA61ifNDUoan7AQ42l/uRTt5GmE=";
+  };
+
+  # clear is used during the build process
+  nativeBuildInputs = [ ncurses ];
+
+  buildInputs = [ which pcre2 zlib openssl ];
+
+  # patch to remove root manipulation, install phase which tries to add users to the system, and init phase which tries to modify the system to launch files
+  patches = [ ./no-root.patch ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
+  #     `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  buildPhase = ''
+    mkdir $out
+    export USER_DIR="$out" # just to satisy the script
+    ./install.sh <<EOF
+en
+
+agent
+127.0.0.1
+yes
+yes
+yes
+EOF
+
+  '';
+
+  installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/share
+      mv $out/active-response/bin/* $out/bin
+      mv $out/etc $out/share
+      mv $out/queue $out/share
+      mv $out/var $out/share
+      mv $out/agentless $out/share
+      mv $out/.ssh $out/share
+      rm -r $out/active-response
+      rm -r $out/tmp
+
+      runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Open source host-based instrusion detection system";
+    homepage = "https://www.ossec.net";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ happysalada ];
+    platforms = platforms.all;
+  };
+}
+
--- a/pkgs/tools/security/ossec/default.nix
+++ b/pkgs/tools/security/ossec/default.nix
@ -1,45 +0,0 @@
-{ lib, stdenv, fetchurl, which }:
-
-stdenv.mkDerivation rec {
-  pname = "ossec-client";
-  version = "2.6";
-
-  src = fetchurl {
-    url = "https://www.ossec.net/files/ossec-hids-${version}.tar.gz";
-    sha256 = "0k1b59wdv9h50gbyy88qw3cnpdm8hv0nrl0znm92h9a11i5b39ip";
-  };
-
-  buildInputs = [ which ];
-
-  patches = [ ./no-root.patch ];
-
-  # Workaround build failure on -fno-common toolchains like upstream
-  # gcc-10. Otherwise build fails as:
-  #   ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
-  #     `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
-  env.NIX_CFLAGS_COMPILE = "-fcommon";
-
-  buildPhase = ''
-    echo "en
-
-agent
-$out
-no
-127.0.0.1
-yes
-yes
-yes
-
-
-"   | ./install.sh
-  '';
-
-  meta = with lib; {
-    description = "Open source host-based instrusion detection system";
-    homepage = "https://www.ossec.net";
-    license = licenses.gpl2;
-    maintainers = with maintainers; [ ];
-    platforms = platforms.linux;
-  };
-}
-
--- a/pkgs/tools/security/ossec/no-root.patch
+++ b/pkgs/tools/security/ossec/no-root.patch
@ -1,7 +1,8 @@
-diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
--- ossec-hids-2.6-orig/install.sh	2011-07-11 15:36:58.000000000 -0400
-+++ ossec-hids-2.6/install.sh	2012-07-09 09:58:57.970692818 -0400
-@@ -119,14 +119,14 @@
+diff --git a/install.sh b/install.sh
+index 387bde1a..cb6dcbf2 100755
+--- a/install.sh
+++ b/install.sh
+@@ -126,14 +126,14 @@ Install()
     # Generate the /etc/ossec-init.conf
     VERSION_FILE="./src/VERSION"
     VERSION=`cat ${VERSION_FILE}`
@ -12,19 +13,38 @@ diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
 -    echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT}
 -    chmod 600 ${OSSEC_INIT}
 -    cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
-    chmod 644 ${INSTALLDIR}${OSSEC_INIT}
-+    echo chmod 700 ${OSSEC_INIT} > /dev/null 2>&1
-+    echo "DIRECTORY=\"${INSTALLDIR}\"" > ${INSTALLDIR}${OSSEC_INIT}
-+    echo "VERSION=\"${VERSION}\"" >> ${INSTALLDIR}${OSSEC_INIT}
-+    echo "DATE=\"`date`\"" >> ${INSTALLDIR}${OSSEC_INIT}
-+    echo "TYPE=\"${INSTYPE}\"" >> ${INSTALLDIR}${OSSEC_INIT}
-+    echo chmod 600 ${OSSEC_INIT}
-+    echo cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
-+    echo chmod 644 ${INSTALLDIR}${OSSEC_INIT}
+-    chmod 640 ${INSTALLDIR}${OSSEC_INIT}
+    # chmod 700 ${OSSEC_INIT} > /dev/null 2>&1
+    # echo "DIRECTORY=\"${INSTALLDIR}\"" > ${OSSEC_INIT}
+    # echo "VERSION=\"${VERSION}\"" >> ${OSSEC_INIT}
+    # echo "DATE=\"`date`\"" >> ${OSSEC_INIT}
+    # echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT}
+    # chmod 600 ${OSSEC_INIT}
+    # cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
+    # chmod 640 ${INSTALLDIR}${OSSEC_INIT}
 
 
     # If update_rules is set, we need to tweak
-@@ -926,11 +926,6 @@
+@@ -148,12 +148,12 @@ Install()
+     fi
+ 
+     # Calling the init script  to start ossec hids during boot
+-    if [ "X${update_only}" = "X" ]; then
+-        runInit
+-        if [ $? = 1 ]; then
+-            notmodified="yes"
+-        fi
+-    fi
+    # if [ "X${update_only}" = "X" ]; then
+    #     runInit
+    #     if [ $? = 1 ]; then
+    #         notmodified="yes"
+    #     fi
+    # fi
+ 
+ }
+ 
+@@ -965,10 +965,10 @@ main()
         catError "0x1-location";
     fi
 
@ -32,145 +52,246 @@ diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
 -    if [ ! "X$ME" = "Xroot" ]; then
 -        catError "0x2-beroot";
 -    fi
-
+    # # Must be root
+    # if [ ! "X$ME" = "Xroot" ]; then
+    #     catError "0x2-beroot";
+    # fi
+ 
     # Checking dependencies
     checkDependencies
- 
-diff -Naur ossec-hids-2.6-orig/src/InstallAgent.sh ossec-hids-2.6/src/InstallAgent.sh
--- ossec-hids-2.6-orig/src/InstallAgent.sh	2011-07-11 15:36:58.000000000 -0400
-+++ ossec-hids-2.6/src/InstallAgent.sh	2012-07-09 09:56:12.061870552 -0400
-@@ -80,7 +80,7 @@
+diff --git a/src/Makefile b/src/Makefile
+index 7fc04c0b..0eb27a0a 100644
+--- a/src/Makefile
+++ b/src/Makefile
+@@ -144,7 +144,7 @@ endif
+ ifeq (${uname_S},AIX)
+         INSTALL_CMD?=./install-shim-aix.ksh -m $(1) -o $(2) -g $(3)
 else
-     grep "^${USER}" /etc/passwd > /dev/null 2>&1
-     if [ ! $? = 0 ]; then
-	/usr/sbin/groupadd ${GROUP}
-+	echo /usr/sbin/groupadd ${GROUP}
+-        INSTALL_CMD?=install -m $(1) -o $(2) -g $(3)
+        INSTALL_CMD?=install
+ endif
 
-     # We first check if /sbin/nologin is present. If it is not,
-     # we look for bin/false. If none of them is present, we
-@@ -93,7 +93,7 @@
-             OSMYSHELL="/bin/false"
-         fi
-     fi        
-	/usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER}
-+	echo /usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER}
-     fi
- fi
+ ifdef DEBUGAD
+@@ -404,10 +404,10 @@ endif
+ install: install-${TARGET}
 
-@@ -105,31 +105,31 @@
- done
+ install-agent: install-common
+-	$(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-agentd ${PREFIX}/bin
+	$(call INSTALL_CMD) agent-auth ${PREFIX}/bin
 
- # Default for all directories
-chmod -R 550 ${DIR}
-chown -R root:${GROUP} ${DIR}
-+echo chmod -R 550 ${DIR}
-+echo chown -R root:${GROUP} ${DIR}
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/rids
 
- # To the ossec queue (default for agentd to read)
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
-chmod -R 770 ${DIR}/queue/ossec
-+echo chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
-+echo chmod -R 770 ${DIR}/queue/ossec
+ install-local: install-server-generic
 
- # For the logging user
-chown -R ${USER}:${GROUP} ${DIR}/logs
-chmod -R 750 ${DIR}/logs
-chmod -R 775 ${DIR}/queue/rids
-touch ${DIR}/logs/ossec.log
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
-chmod 664 ${DIR}/logs/ossec.log
+@@ -416,133 +416,126 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+ 
+ install-common: build
+-	./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX}
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+-	$(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
 -
-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
-chmod -R 750 ${DIR}/queue/diff
-chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
-+echo chown -R ${USER}:${GROUP} ${DIR}/logs
-+echo chmod -R 750 ${DIR}/logs
-+echo chmod -R 775 ${DIR}/queue/rids
-+echo touch ${DIR}/logs/ossec.log
-+echo chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
-+echo chmod 664 ${DIR}/logs/ossec.log
-+
-+echo chown -R ${USER}:${GROUP} ${DIR}/queue/diff
-+echo chmod -R 750 ${DIR}/queue/diff
-+echo chmod 740 ${DIR}/queue/diff/* "> /dev/null 2>&1"
+-	$(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
+	$(call INSTALL_CMD) -d ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-logcollector ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-syscheckd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-execd ${PREFIX}/bin
+	$(call INSTALL_CMD) manage_agents ${PREFIX}/bin
+	$(call INSTALL_CMD) ../contrib/util.sh ${PREFIX}/bin/
+	$(call INSTALL_CMD) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
 
+ ifeq (${LUA_ENABLE},yes)
+-	$(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua
+-	$(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/native
+-	$(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/compiled
+-	$(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
+	$(call INSTALL_CMD) -d ${PREFIX}/lua
+	$(call INSTALL_CMD) -d ${PREFIX}/lua/native
+	$(call INSTALL_CMD) -d ${PREFIX}/lua/compiled
+	$(call INSTALL_CMD) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
+	$(call INSTALL_CMD) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
+ endif
 
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/queue
+-	$(call INSTALL_CMD,0770,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/alerts
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/ossec
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/syscheck
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/diff
+	$(call INSTALL_CMD) -d ${PREFIX}/queue
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/alerts
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/ossec
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/syscheck
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/diff
 
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/etc
+	$(call INSTALL_CMD) -d ${PREFIX}/etc
+ ifeq (${INSTALL_LOCALTIME},yes)
+-	$(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/localtime ${PREFIX}/etc
+	$(call INSTALL_CMD) /etc/localtime ${PREFIX}/etc
+ endif
+ ifeq (${INSTALL_RESOLVCONF},yes)
+-	$(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/resolv.conf ${PREFIX}/etc
+	$(call INSTALL_CMD) /etc/resolv.conf ${PREFIX}/etc
+ endif
 
- # For the etc dir
-chmod 550 ${DIR}/etc
-chown -R root:${GROUP} ${DIR}/etc
-+echo chmod 550 ${DIR}/etc
-+echo chown -R root:${GROUP} ${DIR}/etc
+-	$(call INSTALL_CMD,1550,root,${OSSEC_GROUP}) -d ${PREFIX}/tmp
+	$(call INSTALL_CMD) -d ${PREFIX}/tmp
 
- ls /etc/localtime > /dev/null 2>&1
- if [ $? = 0 ]; then
-@@ -167,25 +167,25 @@
- cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1
- cp -pr agentlessd/scripts/* ${DIR}/agentless/
+ ifneq (,$(wildcard /etc/TIMEZONE))
+-	$(call INSTALL_CMD,440,root,${OSSEC_GROUP}) /etc/TIMEZONE ${PREFIX}/etc/
+	$(call INSTALL_CMD) /etc/TIMEZONE ${PREFIX}/etc/
+ endif
+ # Solaris Needs some extra files
+ ifeq (${uname_S},SunOS)
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/usr/share/lib/zoneinfo/
+	$(call INSTALL_CMD) -d ${PREFIX}/usr/share/lib/zoneinfo/
+ 	cp -r /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/
+ endif
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/internal_options.conf ${PREFIX}/etc/
+	$(call INSTALL_CMD) -b ../etc/internal_options.conf ${PREFIX}/etc/
+ ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf))
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
+	$(call INSTALL_CMD) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/client.keys))
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) /dev/null ${PREFIX}/etc/client.keys
+	$(call INSTALL_CMD) /dev/null ${PREFIX}/etc/client.keys
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf))
+ ifneq (,$(wildcard ../etc/ossec.mc))
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
+	$(call INSTALL_CMD) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
+ else
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
+	$(call INSTALL_CMD) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
+ endif
+ endif
 
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/agentless/*
-chown ${USER}:${GROUP} ${DIR}/.ssh
-chown -R root:${GROUP} ${DIR}/etc/shared
+-	$(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/etc/shared
+-	$(call INSTALL_CMD,0640,${OSSEC_USER},${OSSEC_GROUP}) rootcheck/db/*.txt ${PREFIX}/etc/shared/
+	$(call INSTALL_CMD) -d ${PREFIX}/etc/shared
+	$(call INSTALL_CMD) rootcheck/db/*.txt ${PREFIX}/etc/shared/
+ 
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response/bin
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/agentless
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) agentlessd/scripts/* ${PREFIX}/agentless/
+	$(call INSTALL_CMD) -d ${PREFIX}/active-response
+	$(call INSTALL_CMD) -d ${PREFIX}/active-response/bin
+	$(call INSTALL_CMD) -d ${PREFIX}/agentless
+	$(call INSTALL_CMD) agentlessd/scripts/* ${PREFIX}/agentless/
+ 
+-	$(call INSTALL_CMD,0700,root,${OSSEC_GROUP}) -d ${PREFIX}/.ssh
+	$(call INSTALL_CMD) -d ${PREFIX}/.ssh
+ 
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/*.sh ${PREFIX}/active-response/bin/
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
+	$(call INSTALL_CMD) ../active-response/*.sh ${PREFIX}/active-response/bin/
+	$(call INSTALL_CMD) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
+ 
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+-	$(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
 -
-chmod 550 ${DIR}/etc
-chmod 440 ${DIR}/etc/internal_options.conf
-chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
-chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
-chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
-chmod 550 ${DIR}/agentless/*
-chmod 700 ${DIR}/.ssh
-+echo chown root:${GROUP} ${DIR}/etc/internal_options.conf
-+echo chown root:${GROUP} ${DIR}/etc/local_internal_options.conf "> /dev/null 2>&1"
-+echo chown root:${GROUP} ${DIR}/etc/client.keys "> /dev/null 2>&1"
-+echo chown root:${GROUP} ${DIR}/agentless/*
-+echo chown ${USER}:${GROUP} ${DIR}/.ssh
-+echo chown -R root:${GROUP} ${DIR}/etc/shared
+-	./init/fw-check.sh execute
+	$(call INSTALL_CMD) -d ${PREFIX}/var
+	$(call INSTALL_CMD) -d ${PREFIX}/var/run
+ 
+ 
+ 
+ install-server-generic: install-common
+-	$(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/archives
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/alerts
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/firewall
+-
+-	$(call INSTALL_CMD,0550,root,0) ossec-agentlessd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-analysisd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-monitord ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-reportd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-maild ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-remoted ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-logtest ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-csyslogd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-authd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-dbd ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) ossec-makelists ${PREFIX}/bin
+-	$(call INSTALL_CMD,0550,root,0) verify-agent-conf ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) clear_stats ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) list_agents ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) ossec-regex ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) syscheck_update ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) agent_control ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) syscheck_control ${PREFIX}/bin/
+-	$(call INSTALL_CMD,0550,root,0) rootcheck_control ${PREFIX}/bin/
+-
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/stats
+-	$(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/rules
+	$(call INSTALL_CMD) /dev/null ${PREFIX}/logs/active-responses.log
+	$(call INSTALL_CMD) -d ${PREFIX}/logs/archives
+	$(call INSTALL_CMD) -d ${PREFIX}/logs/alerts
+	$(call INSTALL_CMD) -d ${PREFIX}/logs/firewall
 +
-+echo chmod 550 ${DIR}/etc
-+echo chmod 440 ${DIR}/etc/internal_options.conf
-+echo chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
-+echo chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
-+echo chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
-+echo chmod 550 ${DIR}/agentless/*
-+echo chmod 700 ${DIR}/.ssh
+	$(call INSTALL_CMD) ossec-agentlessd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-analysisd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-monitord ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-reportd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-maild ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-remoted ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-logtest ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-csyslogd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-authd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-dbd ${PREFIX}/bin
+	$(call INSTALL_CMD) ossec-makelists ${PREFIX}/bin
+	$(call INSTALL_CMD) verify-agent-conf ${PREFIX}/bin/
+	$(call INSTALL_CMD) clear_stats ${PREFIX}/bin/
+	$(call INSTALL_CMD) list_agents ${PREFIX}/bin/
+	$(call INSTALL_CMD) ossec-regex ${PREFIX}/bin/
+	$(call INSTALL_CMD) syscheck_update ${PREFIX}/bin/
+	$(call INSTALL_CMD) agent_control ${PREFIX}/bin/
+	$(call INSTALL_CMD) syscheck_control ${PREFIX}/bin/
+	$(call INSTALL_CMD) rootcheck_control ${PREFIX}/bin/
+
+	$(call INSTALL_CMD) -d ${PREFIX}/stats
+	$(call INSTALL_CMD) -d ${PREFIX}/rules
+ ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml))
+ 	cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
+	$(call INSTALL_CMD) -b ../etc/rules/*.xml ${PREFIX}/rules
+	$(call INSTALL_CMD) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
+ 	rm ${PREFIX}/rules/local_rules.xml.installbackup
+ else
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
+	$(call INSTALL_CMD) -b ../etc/rules/*.xml ${PREFIX}/rules
+ endif
 
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/fts
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/fts
 
- # For the /var/run
-chmod 770 ${DIR}/var/run
-chown root:${GROUP} ${DIR}/var/run
-+echo chmod 770 ${DIR}/var/run
-+echo chown root:${GROUP} ${DIR}/var/run
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rootcheck
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/rootcheck
 
+-	$(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/agent-info
+-	$(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/agentless
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/agent-info
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/agentless
 
- # Moving the binary files
-@@ -201,11 +201,11 @@
- sh ./init/fw-check.sh execute > /dev/null
- cp -pr ../active-response/*.sh ${DIR}/active-response/bin/
- cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
-chmod 755 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/active-response/bin/*
-+echo chmod 755 ${DIR}/active-response/bin/*
-+echo chown root:${GROUP} ${DIR}/active-response/bin/*
- 
-chown root:${GROUP} ${DIR}/bin/*
-chmod 550 ${DIR}/bin/*
-+echo chown root:${GROUP} ${DIR}/bin/*
-+echo chmod 550 ${DIR}/bin/*
- 
- 
- # Moving the config file
-@@ -221,8 +221,8 @@
- else    
-     cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf
- fi
-chown root:${GROUP} ${DIR}/etc/ossec.conf
-chmod 440 ${DIR}/etc/ossec.conf
-+echo chown root:${GROUP} ${DIR}/etc/ossec.conf
-+echo chmod 440 ${DIR}/etc/ossec.conf
+-	$(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
+	$(call INSTALL_CMD) -d ${PREFIX}/queue/rids
 
+-	$(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/decoder.xml ${PREFIX}/etc/
+	$(call INSTALL_CMD) ../etc/decoder.xml ${PREFIX}/etc/
 
+ 	rm -f ${PREFIX}/etc/shared/merged.mg
 
--- a/pkgs/tools/security/ossec/server.nix
+++ b/pkgs/tools/security/ossec/server.nix
@ -0,0 +1,70 @@
+{ lib, stdenv, fetchFromGitHub, which, pcre2, zlib, ncurses, openssl }:
+let
+  version = "unstable-2023-08-09";
+in
+stdenv.mkDerivation {
+  pname = "ossec-server";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "ossec";
+    repo = "ossec-hids";
+    rev = "c8a36b0af3d4ee5252855b90236407cbfb996eb2";
+    sha256 = "sha256-AZ8iubyhNHXGR/l+hA61ifNDUoan7AQ42l/uRTt5GmE=";
+  };
+
+  # clear is used during the build process
+  nativeBuildInputs = [ ncurses ];
+
+  buildInputs = [ which pcre2 zlib openssl ];
+
+  # patch to remove root manipulation, install phase which tries to add users to the system, and init phase which tries to modify the system to launch files
+  patches = [ ./no-root.patch ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
+  #     `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  buildPhase = ''
+    mkdir -p $out/logs
+    export USER_DIR="$out" # just to satisy the script
+    ./install.sh <<EOF
+en
+
+server
+n
+n
+EOF
+  '';
+
+  installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/share
+      mv $out/active-response/bin/* $out/bin
+      mv $out/etc $out/share
+      mv $out/queue $out/share
+      mv $out/var $out/share
+      mv $out/agentless $out/share
+      mv $out/.ssh $out/share
+      mv $out/logs $out/share
+      mv $out/rules $out/share
+      mv $out/stats $out/share
+      rm -r $out/active-response
+      rm -r $out/tmp
+      ls -lah $out
+
+      runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Open source host-based instrusion detection system";
+    homepage = "https://www.ossec.net";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ happysalada ];
+    platforms = platforms.all;
+  };
+}
+
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11773,7 +11773,9 @@ with pkgs;

  osqp = callPackage ../development/libraries/science/math/osqp { };

-  ossec = callPackage ../tools/security/ossec { };
+  ossec-agent = callPackage ../tools/security/ossec/agent.nix { };
+
+  ossec-server = callPackage ../tools/security/ossec/server.nix { };

  osslsigncode = callPackage ../development/tools/osslsigncode { };